Typosquatting is a type of social engineering attack which targets internet users who incorrectly type a URL into their web browser rather than using a search engine. Typically, it involves tricking users into visiting malicious websites with URLs that are common misspellings of legitimate websites. Users may be tricked into entering sensitive details into these fake sites. For organizations victimized by these attackers, these sites can do significant reputational damage.
The ‘typo’ in typosquatting refers to the small mistakes people can make when typing on a keyboard. Typosquatting is also known as URL hijacking, domain mimicry, sting sites, or fake URLs.
Typosquatting is a form of cybercrime that involves hackers registering domains with deliberately misspelled names of well-known websites. Hackers do this to lure unsuspecting visitors to alternative websites, typically for malicious purposes. Visitors may end up at these alternative websites through one of two ways:
The hackers may emulate the look and feel of the sites they are attempting to mimic hoping that users will divulge personal information such as credit card or bank details. Or the sites may be well-optimized landing pages containing advertising or pornographic content, which generate high revenue streams for their owners.
Typosquatting is not only a problem for users – business owners are also affected, not least because every stolen visitor is potentially a lost customer. For this reason, companies and organizations should keep an eye on falsifications of their website and take action where appropriate.
Typosquatting attacks start with cybercriminals buying and registering a domain name that is a misspelling of a popular website (some cybercriminals go so far as to buy multiple URLs.) For example, instead of purchasing example.com, the cybercriminal might buy examplle.com or exmple.com.
A typosquatting domain becomes dangerous when real users start visiting the site. They may have typed the URL by mistake. Or they may have been lured there by a phishing scam, typically over email, which contains a link to the typosquatted website.
Often, the fake site is designed to mimic the real version, using the real organization’s logo and design. Users who do not realize they are visiting a fake website may be tricked into entering sensitive information, such as their username and password or their bank or credit card details. The hackers can access this information and, if the victim uses the same username and password across multiple sites, then other online accounts will be at risk.
To a large extent, typosquatting relies on confusion or simple human error, such as:
Perhaps the most common error when entering search information, typos are often the product of our rushed day-to-day lives. Those who usually type quickly and imprecisely or rely heavily on autocorrect are especially prone to becoming victims of these domain types – for example, typing gogle.com instead of google.com.
Sometimes a user has not made a typo but is unaware of the correct spelling of a brand name, and squatters are well aware of this fact. For this reason, many businesses register misspelled variants of their site’s name before others can beat them to it – and then redirect these misspelled versions to their real homepage.
Alternative spelling options of common product names or services have the potential to confuse internet visitors. For example, there are variations between American English and British English – such as the word “favorite,” which is spelled “favourite” in British English. If your web address contains a word that is spelled differently in other countries, this could lead to a user inadvertently typing the wrong URL into their browser.
The addition (or omission) of a hyphen in a domain name can also cause confusion. For example, if the URL is usually example-onlineshop.com, typosquatters might add an extra hyphen to deceive users – e.g. example-online-shop.com. At a glance, users may think this is the genuine site when in reality typosquatters are using it for malware or advertising purposes.
The range of domain endings for different countries, such as .com,.co.uk, .cn, etc, and also for different types of organizations – i.e. .com, .org, .web, .shop – creates further scope for typosquatting. This is why it is important for website operators to register a range of top-level domains to prevent different permutations from falling into the wrong hands. Typosquatters are especially fond of the Columbian top-level domain, .co, due to its similarity with the most widely used TLD, .com.
The most common uses of typosquatted domains include:
As outlined above: the scam website passes itself off as the real thing, portraying itself as the correct site. For example, if the site is emulating a well-known bank, it will adopt the logo, color scheme, and page layout of that bank. The purpose of an imitator site is to host a phishing scam, gathering log-in credentials and personal data.
The fake website purports to sell you something you might have bought at the correct URL. Often, these are digital purchases that are difficult to dispute on a credit card statement. The buyer does not receive the item they want, but they will still pay for it.
The owner uses traffic meant for the real site to drive traffic to competitors, charging them on a cost-per-click basis.
Fake website owners host advertisements or pop-ups to generate advertising revenue from webpage visitors.
The fake site pretends to be gathering customer feedback. In reality, its purpose is to collect enough information or data to carry out identity theft.
The fake site redirects traffic back to the brand through affiliate links to earn a commission from all purchases via the brand's legitimate affiliate program.
The malicious website installs malware or adware on the devices of visitors.
These sites ridicule or make fun of the existing site that the user intended to visit. The motivation in this instance is often revenge.
A similar cybercrime to typosquatting is cybersquatting, also known as domain squatting. In this case, a person purchases URLs that have similar spellings to other websites and brands. Typically, the motivation is not to build a website at the address but to sell the URLs to the owners of the authentic websites and brands for maximum profit.
Because companies want to protect their customers and brands, many feel compelled to buy URLs from cybersquatters and are often prepared to pay a premium to do so. This makes cybersquatting a profitable activity since it is often quite cheap for the cybersquatter to register domains for most TLDs.
Cybersquatters want to make easy money. Typosquatters go further by wanting to hack into a person’s computer, so the victim is vulnerable to identity theft and security breaches.
A variation on typosquatting is called combosquatting. This is where criminals register domains that are slightly different to legitimate domains by adding extra words, such as, amazon-onlineshop.com to confuse users into thinking it is a legitimate Amazon website. In this instance, no typos are involved, merely the presence of additional words to deceive users.
One of the earliest and most famous examples of typosquatting attacks involved Google. In 2006, typosquatters registered the site Goggle.com, which was operated as a phishing site. Over the years, variations on Google’s name – foogle, hoogle, boogle, yoogle (all chosen for their proximity to the letter “g” on qwerty keyboards) have been registered in an attempt to divert some traffic from the search engine.
In the past, celebrities including Madonna, Paris Hilton, and Jennifer Lopez have fallen victim to typosquatting domains – with websites set up using variations of their name but used to host porn or ads or affiliate links, to trick unsuspecting fans.
In the run-up to the 2020 US presidential election, it was reported that a number of candidates had typosquatting domains set up in their names by criminals with a variety of malicious motivations.
For individuals, you can minimize the risk of falling victim to typosquatting by:
For organizations, the best strategy is to try to stay ahead of typosquatting attacks:
Purchase important and obvious typo-domains and redirect these to your website. In addition, register other country extensions and other relevant top-level domains, alternate spellings, and variants with and without hyphens. Once registered, misspelled domains can easily be rerouted to the actual website with the help of redirects.
ICANN is the Internet Corporation for Assigned Names and Numbers. Website owners can use ICANN’s Trademark Clearing House to find out how their names are being used within different domains. This service is available to nationally or internationally registered brands.
SSL certificates are an excellent way to signal that your website is legitimate. They tell the end-user who they are connected with and protect user data during transfer. A missing SSL certificate can be a sign you have been taken to an alternative website.
If you believe someone is impersonating (or preparing to impersonate) your organization, let your customers, staff, or other relevant parties know to look out for suspicious emails or a phishing website.
The process for getting a website taken down varies by jurisdiction, but a great place to start is ICANN’s Uniform Domain Name Dispute Resolution policy. This outlines the process for trademark holders to raise complaints in order to have disputed sites taken down.
While legislation in the US and other jurisdictions can help protect websites from typosquatters, taking legal action can be costly in terms of both time and energy. Taking preventative measures to ensure that your site does not become the target of typosquatting attacks in the first place is highly recommended. As with most forms of cyberattack, the key to preventing typosquatting is constant vigilance. Your website visitors rely on you to identify and shut down any scam sites operating under your name – if you don’t, you could lose their trust.